s3 debug

Author: ChristianPavilonis

crates/trusted-server-adapter-fastly/src/main.rs

@@ -16,7 +16,7 @@ use trusted_server_core::integrations::IntegrationRegistry;
 use trusted_server_core::platform::RuntimeServices;
 use trusted_server_core::proxy::{
     handle_asset_proxy_request, handle_first_party_click, handle_first_party_proxy,
-    handle_first_party_proxy_rebuild, handle_first_party_proxy_sign,
+    handle_first_party_proxy_rebuild, handle_first_party_proxy_sign, handle_s3_list_objects_debug,
 };
 use trusted_server_core::publisher::{
     handle_publisher_request, handle_tsjs_dynamic, stream_publisher_body, PublisherResponse,
@@ -230,6 +230,9 @@ async fn route_request(
         (Method::POST, "/admin/keys/deactivate") => {
             handle_deactivate_key(settings, runtime_services, req)
         }
+        (Method::GET, "/admin/debug/s3-objects") => {
+            handle_s3_list_objects_debug(settings, runtime_services, req).await
+        }
 
         // Unified auction endpoint (returns creative HTML inline)
         (Method::POST, "/auction") => {
@@ -341,6 +344,11 @@ async fn route_request(
     let mut response = result.unwrap_or_else(|e| to_error_response(&e));
 
     finalize_response(settings, geo_info.as_ref(), &mut response);
+    // Keep object-listing diagnostics non-cacheable even when operators set a
+    // global Cache-Control response header.
+    if path == "/admin/debug/s3-objects" {
+        response.set_header(header::CACHE_CONTROL, "no-store, private");
+    }
 
     Some(response)
 }

crates/trusted-server-adapter-fastly/src/route_tests.rs

@@ -1,6 +1,7 @@
 use std::net::IpAddr;
 use std::sync::{Arc, Mutex};
 
+use base64::{engine::general_purpose::STANDARD, Engine as _};
 use edgezero_core::body::Body as EdgeBody;
 use edgezero_core::http::response_builder as edge_response_builder;
 use edgezero_core::key_value_store::NoopKvStore;
@@ -258,6 +259,10 @@ fn test_runtime_services(req: &Request) -> RuntimeServices {
     )
 }
 
+fn admin_authorization_header() -> String {
+    format!("Basic {}", STANDARD.encode("admin:admin-pass"))
+}
+
 fn test_runtime_services_with_http_client(
     req: &Request,
     backend: Arc<dyn PlatformBackend>,
@@ -350,6 +355,66 @@ fn configured_missing_consent_store_only_breaks_consent_routes() {
     );
 }
 
+#[test]
+fn admin_s3_debug_requires_auth_even_when_disabled() {
+    let settings = create_test_settings();
+    let orchestrator = build_orchestrator(&settings).expect("should build auction orchestrator");
+    let integration_registry =
+        IntegrationRegistry::new(&settings).expect("should create integration registry");
+
+    let req = Request::get("https://test.com/admin/debug/s3-objects");
+    let services = test_runtime_services(&req);
+    let resp = futures::executor::block_on(route_request(
+        &settings,
+        &orchestrator,
+        &integration_registry,
+        &services,
+        req,
+    ))
+    .expect("should route admin S3 debug request");
+
+    assert_eq!(
+        resp.get_status(),
+        StatusCode::UNAUTHORIZED,
+        "should challenge unauthenticated S3 debug requests"
+    );
+}
+
+#[test]
+fn admin_s3_debug_disabled_returns_404_after_auth() {
+    let mut settings = create_test_settings();
+    settings.response_headers.insert(
+        header::CACHE_CONTROL.as_str().to_string(),
+        "public, max-age=3600".to_string(),
+    );
+    let orchestrator = build_orchestrator(&settings).expect("should build auction orchestrator");
+    let integration_registry =
+        IntegrationRegistry::new(&settings).expect("should create integration registry");
+
+    let req = Request::get("https://test.com/admin/debug/s3-objects")
+        .with_header(header::AUTHORIZATION, admin_authorization_header());
+    let services = test_runtime_services(&req);
+    let resp = futures::executor::block_on(route_request(
+        &settings,
+        &orchestrator,
+        &integration_registry,
+        &services,
+        req,
+    ))
+    .expect("should route admin S3 debug request");
+
+    assert_eq!(
+        resp.get_status(),
+        StatusCode::NOT_FOUND,
+        "should hide the S3 debug endpoint when the config flag is disabled"
+    );
+    assert_eq!(
+        resp.get_header_str(header::CACHE_CONTROL),
+        Some("no-store, private"),
+        "should prevent configured response headers from making S3 debug responses cacheable"
+    );
+}
+
 #[test]
 fn asset_routes_bypass_publisher_consent_dependencies() {
     let mut settings = create_test_settings();